Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1307,10 +1307,12 @@ No outputs are provided by this action.

## `code-signing`

Install and configure DigiCert smctl and jsign tools for code signing with caching support.
Install and configure DigiCert Software Trust Manager (smctl) and jsign tools for code signing with caching support.

This action provides a complete setup for DigiCert's SigningManager tools (smctl) and jsign with intelligent caching
This action provides a complete setup for DigiCert's Software Trust Manager tools (smctl) and jsign with intelligent caching
to avoid re-downloading tools on every run. It handles all DigiCert authentication setup and environment configuration.
It uses the maintained [DigiCert Binary Signing](https://github.com/marketplace/actions/digicert-binary-signing) action
(`digicert/code-signing-software-trust-action`), which replaces the deprecated `digicert/ssm-code-signing`.

### Requirements

Expand Down Expand Up @@ -1363,7 +1365,7 @@ After running this action, the following environment variables are available:
- `SM_CLIENT_CERT_FILE`: Path to the decoded client certificate file
- `SM_CLIENT_CERT_PASSWORD`: Client certificate password
- `SM_CODE_SIGNING_CERT_SHA1_HASH`: Certificate fingerprint for signing
- `SMTOOLS_PATH`: Path where SMTools are installed, certificate and `.cfg` file is stored.
- `SMTOOLS_PATH`: Directory containing the generated `pkcs11properties.cfg` PKCS#11 provider config used for signing.

---

Expand Down
77 changes: 46 additions & 31 deletions code-signing/action.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
---
name: Setup DigiCert Code Signing Tools
description: Install and configure DigiCert smctl and jsign tools with caching support
description: Install and configure DigiCert Software Trust Manager (smctl) and jsign tools with caching support
inputs:
jsign-version:
description: Version of jsign to install
default: 7.2
force-download-tools:
description: Force download both DigiCert and jsign tools (disables caching)
description: Force a fresh download of the DigiCert and jsign tools (bypasses caching)
default: false

runs:
Expand All @@ -19,18 +19,14 @@ runs:
run: |
echo "JSIGN_VERSION=${JSIGN_VERSION}" >> "$GITHUB_ENV"
echo "JSIGN_CACHE_KEY=jsign-${JSIGN_VERSION}-${{ runner.os }}" >> "$GITHUB_ENV"
echo "SMTOOLS_CACHE_KEY=smtools-linux-x64-${{ runner.os }}" >> "$GITHUB_ENV"
echo "SMTOOLS_PATH=/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64" >> "$GITHUB_ENV"
echo "JSIGN_CACHE_PATH=/tmp/jsign-cache" >> "$GITHUB_ENV"

- name: Cache code signing tools
- name: Cache jsign
uses: SonarSource/gh-action_cache@a7d13cdd1c9f097a5f8382ccec463be2831e3dbc # v1.6.0
id: tools-cache
id: jsign-cache
with:
path: |
/tmp/DigiCert One Signing Manager Tools/smtools-linux-x64
/tmp/jsign-cache
key: tools-${{ env.SMTOOLS_CACHE_KEY }}-${{ env.JSIGN_CACHE_KEY }}
path: /tmp/jsign-cache
key: ${{ env.JSIGN_CACHE_KEY }}

- name: Get DigiCert secrets from Vault
id: secrets
Expand All @@ -43,18 +39,41 @@ runs:
development/kv/data/sign/digicert client_cert_password | SM_CLIENT_CERT_PASSWORD;
development/kv/data/sign/digicert host | SM_HOST;

- name: Setup DigiCert Client Tools
if: steps.tools-cache.outputs.cache-hit != 'true' || inputs.force-download-tools == 'true'
uses: digicert/ssm-code-signing@1d820463733701cf1484c7eb5d7d24a15ca2c454 # v1.2.1
- name: Setup certificate and environment variables
shell: bash
run: |
rm -f Certificate_pkcs12.p12
echo '${{ fromJSON(steps.secrets.outputs.vault).SM_CLIENT_CERT_FILE_B64 }}' | base64 --decode > Certificate_pkcs12.p12
echo "SM_HOST=${{ fromJSON(steps.secrets.outputs.vault).SM_HOST }}" >> "$GITHUB_ENV"
echo "SM_API_KEY=${{ fromJSON(steps.secrets.outputs.vault).SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_FILE=${PWD}/Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ fromJSON(steps.secrets.outputs.vault).SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ fromJSON(steps.secrets.outputs.vault).SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"

- name: Setup DigiCert Software Trust Manager tools
id: digicert-setup
uses: digicert/code-signing-software-trust-action@fae23a455ba4bde62b64fd7cb2f81ade788f5a95 # v1.2.1
with:
force-download-tools: ${{ inputs.force-download-tools }}
# force-download-tools disables the action's GitHub cache so the tools are re-downloaded
use-github-caching-service: ${{ inputs.force-download-tools != 'true' }}
Comment on lines +53 to +58

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Quality: Migration depends on unverified third-party action I/O contract

The migration assumes the new digicert/code-signing-software-trust-action@v1.2.1 (1) accepts an input named use-github-caching-service and (2) exposes an output named PKCS11_CONFIG. The entire SMTOOLS_PATH consumer contract is derived from steps.digicert-setup.outputs.PKCS11_CONFIG (line 63). If either name is wrong, the use-github-caching-service input would be silently ignored by Actions (composite inputs are not strictly validated against the called action), and PKCS11_CONFIG would be empty — the latter is at least caught by the fail-fast guard at lines 67-70. The PR description itself flags that real Windows signing cannot be proven here. Recommend confirming the exact input/output names against the action's action.yml before merge (the PR is correctly marked draft pending the downstream smoke test), and noting that an incorrect input name fails open (caching silently not toggled) rather than failing fast.

Was this helpful? React with 👍 / 👎


- name: Add smctl to PATH (when using cache)
if: steps.tools-cache.outputs.cache-hit == 'true' && inputs.force-download-tools != 'true'
- name: Expose Software Trust Manager tools path
shell: bash
env:
PKCS11_CONFIG: ${{ steps.digicert-setup.outputs.PKCS11_CONFIG }}
run: |
echo "Using cached smctl from ${SMTOOLS_PATH}"
echo "${SMTOOLS_PATH}" >> "$GITHUB_PATH"
# Preserve the SMTOOLS_PATH contract used by downstream signing
# (e.g. sonarlint-eclipse pom.xml: ${env.SMTOOLS_PATH}/pkcs11properties.cfg).
if [[ -z "${PKCS11_CONFIG}" ]]; then
echo "::error::code-signing-software-trust-action did not expose a PKCS11_CONFIG output"
exit 1
fi
SMTOOLS_PATH="$(dirname "${PKCS11_CONFIG}")"
echo "SMTOOLS_PATH=${SMTOOLS_PATH}" >> "$GITHUB_ENV"
# Ensure the lowercase filename consumers expect resolves to the generated config.
if [[ ! -e "${SMTOOLS_PATH}/pkcs11properties.cfg" ]]; then
ln -sf "${PKCS11_CONFIG}" "${SMTOOLS_PATH}/pkcs11properties.cfg"
fi
Comment on lines +71 to +76

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Edge Case: SMTOOLS_PATH symlink assumes config dir is writable

SMTOOLS_PATH is computed as dirname(PKCS11_CONFIG) and, when pkcs11properties.cfg is absent there, a symlink is created in that directory (lines 74-76). This assumes the directory the third-party action writes its PKCS#11 config into is owned/writable by the runner user. If the action places the config under a root-owned or read-only location, ln -sf will fail and abort the step. The previous implementation used a /tmp-based path that was always writable. Consider verifying the action's config location is user-writable, or fall back to creating the symlink/copy in a controlled directory and exporting that as SMTOOLS_PATH.

Was this helpful? React with 👍 / 👎


- name: Setup jsign
shell: bash
Expand All @@ -68,7 +87,7 @@ runs:
sudo apt-get update -q
sudo apt-get install -y default-jre-headless

if [[ "${{ steps.tools-cache.outputs.cache-hit }}" == "true" && "${FORCE_DOWNLOAD_TOOLS}" != "true" &&
if [[ "${{ steps.jsign-cache.outputs.cache-hit }}" == "true" && "${FORCE_DOWNLOAD_TOOLS}" != "true" &&
-f "${JSIGN_CACHE_PATH}/jsign_${JSIGN_VERSION}_all.deb" ]]; then
echo "Installing jsign from cache..."
sudo dpkg --install "${JSIGN_CACHE_PATH}/jsign_${JSIGN_VERSION}_all.deb"
Expand All @@ -80,18 +99,6 @@ runs:
sudo dpkg --install "${JSIGN_CACHE_PATH}/jsign_${JSIGN_VERSION}_all.deb"
fi

- name: Setup certificate and environment variables
shell: bash
run: |
rm -f Certificate_pkcs12.p12
echo '${{ fromJSON(steps.secrets.outputs.vault).SM_CLIENT_CERT_FILE_B64 }}' | base64 --decode > Certificate_pkcs12.p12
echo "SM_HOST=${{ fromJSON(steps.secrets.outputs.vault).SM_HOST }}" >> "$GITHUB_ENV"
echo "SM_API_KEY=${{ fromJSON(steps.secrets.outputs.vault).SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_FILE=${PWD}/Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ fromJSON(steps.secrets.outputs.vault).SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ fromJSON(steps.secrets.outputs.vault).SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"


- name: Verify tool installations
shell: bash
run: |
Expand All @@ -115,4 +122,12 @@ runs:
exit 1
fi

# Check the PKCS#11 config used by downstream signing
if [[ -e "${SMTOOLS_PATH}/pkcs11properties.cfg" ]]; then
echo "✅ pkcs11properties.cfg available under SMTOOLS_PATH"
else
echo "❌ pkcs11properties.cfg not found under ${SMTOOLS_PATH}"
exit 1
fi

echo "All tools installed successfully!"
Loading